This change does the following:
- Create /second_stage_resources empty dir at root.
- At runtime:
- At first stage init:
- mount tmpfs to /second_stage_resources.
- Copy /system/etc/ramdisk/build.prop to
/second_stage_resources/system/etc/ramdisk/build.prop
- At second stage init:
- Load prop from the above path
- umount /second_stage_resources
Test: getprop -Z
Test: getprop
Bug: 169169031
Change-Id: I18b16aa5fd42fa44686c858982a17791b2d43489
If BOARD_MOVE_GSI_AVB_KEYS_TO_VENDOR_BOOT is set, move GSI AVB keys
to vendor_boot. The existence of these keys are device-specific, and
should not exist in the generic boot image.
Test: manual
Bug: 156098440
Change-Id: Iabe002a9f1ecd2fdf109beed98db6edd3f092399
Without enabling the encryption on this folder, we will not be able to
rename files from this folder to /data/app folder, since /data/app
folder is encrypted. Trying to rename files between unencrypted folder
to encrypted folder throws EXDEV error.
Turning on encryption for /data/app-staging has the following concerns:
1. Turning on the encryption will erase all of its content. But this is fine
since during OTA we fail all staged sessions anyway.
2. We need to create hardlinks from /data/app-staging to
/data/apex/active. This is also fine since we will be creating link from
encrypted folder (/data/app-staging) to non-encrypted folder and this
does not throw EXDEV error.
Bug: 163037460
Test: atest StagedInstallTest
Change-Id: Ie78f6df0c0e08de54a39c5e406957ad0a56b7727
Since Android R, the FUSE prop is always on and FUSE-off is no longer
supported
Test: m
Bug: 160159282
Change-Id: I6db20fe8cbf8d260ba21fed5da289eacd4e53ef5
Create directories under /data/local/tests at boot for atest to use
to execute tests on the device.
Bug: 138450837
Test: atest binderVendorDoubleLoadTest memunreachable_unit_test memunreachable_binder_test
Change-Id: Ic8e5031ad8701a063be14b6db760feb78f3eb412
... as the mount point for the modules partition. If
the partition does not exist, just leave the directory
empty.
Test: on CF check /proc/mounts
Bug: 163543381
Change-Id: I2fa96199a029179395a2d655937728f4275ba2b3
Store pertinent information about userspace reboot events in the case
of failure. This information is any services which failed to stop
cleanly, the output of the default fstab and /proc/mounts, and
a list of mounts which failed to unmount. This information is only
stored as necessary (i.e. mount information will not be stored if
everything unmounted, even if some services failed to stop).
Added new /metadata/userspacereboot directory to persist this
information. Information older than 3 days will be deleted.
Test: adb reboot userspace with sigterm/sigkill timeouts set to
very low values
Test: Manual test of storing all other information
Bug: 151820675
Change-Id: I6cfbfae92a7fc6f6c984475cad2c50c559924866
https://r.android.com/c/1324649/5 moves the cgroup folder to its sysfs
path. Directory access rights are defined by kernel code and sepolicy,
so remove the initialization lines from init.rc.
Test: manually booted the device and verified access rights for
/sys/fs/cgroup
Bug: 154548692
Change-Id: I67284dc651ed529cae69e413b66c6e1292a2d970
remove cgroup v1 freezer entries from init.rc, add a new cgroup v2
controller and modify plists to properly interact with it.
Bug: 154548692
Test: manually verified the the cgroup v1 freezer controller isn't
created and a new controller for cgroup v2 is created under the correct
sysfs directory.
Change-Id: I1b811300ade486f88fdbd157255a7f37750cc54d
create new profiles to allowing thawing and freezing back the freezer
cgroup
Bug: 151225245
Test: Manually verified that using the SetTaskProfiles method on the
profiles thaws and freezes back the freezer cgroup.
Change-Id: I7f3e193ebe79b49c1f6ac52b6138ff4ec26fc570
On some devices we see a weird in which /metadata/apex will have a wrong
selinux label. This will effectively prevent such devices from getting
any apex updates. Since we haven't figured out a root cause for this
bug, it's safer to explicitly call restorecon on /metadata/apex to make
sure it's correct.
This change shouldn't affect a normal boot flow, since /metadata/apex
will already have a correct label and restorecon_recursive will be a
no-op.
Test: rm -Rf /metadata/apex && \
mkdir /metadata/apex &&
mkdir /metadata/apex/sessions
Bug: 149317789
Merged-In: I971ffe35c93bb79d9e71106c24515ec0ee70333a
Change-Id: I971ffe35c93bb79d9e71106c24515ec0ee70333a
(cherry picked from commit cf7b6bad55)
- zygote needs statsd for logging boot time event.
- statsd starting later leads into stats logging failure which
is reported by all child processes of zygote later.
This brings lots of noise in statsd error.
Bug: 159664734
Test: reboot and check if error log does not show up
E statsd : Found dropped events: 1 error -19 last atom tag 240 from uid 10169
Change-Id: Ie585febb50a9668671c8fda41a872595baae8385
Test: built and booted
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Merged-In: If80758b3d7bf499d428880efa5ed555076bfc291
Change-Id: If80758b3d7bf499d428880efa5ed555076bfc291
On some devices we see a weird in which /metadata/apex will have a wrong
selinux label. This will effectively prevent such devices from getting
any apex updates. Since we haven't figured out a root cause for this
bug, it's safer to explicitly call restorecon on /metadata/apex to make
sure it's correct.
This change shouldn't affect a normal boot flow, since /metadata/apex
will already have a correct label and restorecon_recursive will be a
no-op.
Test: rm -Rf /metadata/apex && \
mkdir /metadata/apex &&
mkdir /metadata/apex/sessions
Bug: 149317789
Change-Id: I971ffe35c93bb79d9e71106c24515ec0ee70333a
Improve app startup performance before the new app is in the top-app
cpuset.
Test: boots, zygote64 in top-app stune group
Bug: 159201879
Change-Id: I3aad4b4b1d2f54db9e7ba86db8a655d8552bad0a
The FUSE filesystem is implemented by a Zygote child. If Zygote dies,
all of its children die along with it, including the FUSE daemon. The
FUSE filesystem is cleaned up automatically whenever the /dev/fuse file
descriptor of the FUSE daemon is closed. However, due to the way the
binder driver holds on to the 'struct files' of processes in the kernel,
the closing of FDs of all of Zygote's children is serialized.
That in turn means that, if a process has a file with dirty pages on
FUSE, and that FD is closed *before* the FUSE FD, the FUSE kernel driver
will happily issue a request to the FUSE daemon to serve that request.
But since the FUSE userspace daemon is already dead, it will never get
served. And because the closing of all FDs is serialized, we will never
close the FUSE fd to unblock this request.
Solve this particular case by manually aborting the FUSE filesystem when
Zygote restarts. Because we now explicitly close the FUSE fd, the FUSE
filesystem will be cleaned up, all outstanding requests to it will be
cancelled, and new ones will be skipped.
Bug: 153411204
Test: kill zygote manually
Change-Id: I2cb6c1a03cc1a932461ff33558894a428ff35180
Bug: 153849221
Test: build and try to capture the trace by perfetto and systrace
Change-Id: Ie8a13e12038bd66afcd264079a2c5f25daaa20ee
Merged-In: Ie8a13e12038bd66afcd264079a2c5f25daaa20ee
(cherry picked from commit 9d19a05422)
This will allow Phonesky to read APEXes under /data/apex/active.
Test: adb shell su 10114 dd if=/data/apex/active/com.android.tzdata@300000000.apex of=/dev/null
Bug: 154635217
Merged-In: I5278897413ca0e32aed9d1c7f82e48138bc51404
Change-Id: I5278897413ca0e32aed9d1c7f82e48138bc51404
- Cherry pick of aosp/1228482
As of aosp/1224611, there is a new step in the preparation of APEXes
where init calls back into apexd after DE user data is unencrypted to
allow DE apex data to be snapshotted or restored.
aosp/1228581 introduces a new apexd.status value of "activated" that
is set once APEXes are activated but before this snapshot has occurred.
init may execute "perform_apex_config" once this has occurred, so this
CL changes init to wait for "activated" rather than "ready" before
doing this.
Bug: 148672144
Test: build & flash, check boot completes and check in logs that init
waits on the correct status value.
Merged-In: I339580bf593d3b09a5dff749ac2a5d1952bcb210
Change-Id: I71b62c9dd2f7951811606002f38612784d3d9086
This will allow Phonesky to read APEXes under /data/apex/active.
Test: adb shell su 10114 dd if=/data/apex/active/com.android.tzdata@300000000.apex of=/dev/null
Bug: 154635217
Change-Id: I5278897413ca0e32aed9d1c7f82e48138bc51404
This patch removed the old writeout policy tune which was never touched since
2009. In the meantime, most of Android devices are equipped with over 4GB DRAM
and very fast flash storages like UFS, which becomes more like desktop or
servers in 2009. So, it'd be worth to go back to use the default kernel configs.
Bug: 129751503
Change-Id: Idb58f5b01bbc4afd270cffba5b8912ea3565819f
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Also reordered the directories in alphabetical order
Test: m -j
Bug: 149838525
Merged-In: I1a918d189d8bcb394ec6f818d033dbf7e4518713
Change-Id: I4b10a01ed6b3285aec6d87765f225c41ec55be96
create new profiles to allowing thawing and freezing back the freezer
cgroup
Bug: 151225245
Test: Manually verified that using the SetTaskProfiles method on the
profiles thaws and freezes back the freezer cgroup.
Change-Id: I7f3e193ebe79b49c1f6ac52b6138ff4ec26fc570
There is a longstanding bug where file-based encryption causes spurious
SELinux denials of module_request because it uses the kernel's crypto
API, and the crypto API tries to autoload kernel modules.
While this sometimes indicate missing kconfig options, it can still
happen even if all needed kconfig options are enabled. This is because
a crypto algorithm can be a composition like "hmac(sha512)", and the
crypto API will first look for the full composition before it
instantiates it using the components like "hmac" and "sha512". But
often an implementation of the full composition doesn't exist.
However, as far as I can tell, Android doesn't actually use kernel
module autoloading at all. First, Android never changes
/proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this
isn't where modprobe is located on Android. Android's SELinux policy
contains a neverallow rule that ensures that only init (not even
vendor_init) can write to this setting, so vendors can't be changing it.
Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH,
which overrides the path of all usermode helpers including modprobe.
But this is a relatively new kconfig option, available only in
android-4.14 and later. Also, for a vendor to actually do this they'd
also need to extend the SELinux policy with a domain_auto_trans rule to
allow their usermode helper to be executed by the kernel.
Android does increasingly use kernel modules, and GKI (Generic Kernel
Image) will require them. However, the modules are actually inserted by
userspace by 'init', not autoloaded.
It's possible to disable kernel module autoloading completely by setting
/proc/sys/kernel/modprobe to an empty string. So, let's do that.
This prevents lots of spurious SELinux denials, and allows removing
unnecessary rules to allow or dontaudit the module_request permission.
Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this
change exposes a kernel bug that causes a WARNING in get_fs_type(). To
avoid this WARNING, a kernel fix should be applied too -- currently
under discussion upstream
(https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org).
Bug: 130424539
Bug: 132409186
Bug: 144399145
Bug: 146477240
Bug: 148005188
Bug: 149542343
Test: Tested on cuttlefish and coral:
- Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe
before this change, and the empty string after.
- Checked that if all SELinux rules for module_request are removed,
there are SELinux denials for module_request before this change
but none after.
- Ran lsmod both before and after and verified that the list is the
same, i.e. checked that this change doesn't break how Android
actually loads kernel modules.
Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
Merged-In: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
There is a longstanding bug where file-based encryption causes spurious
SELinux denials of module_request because it uses the kernel's crypto
API, and the crypto API tries to autoload kernel modules.
While this sometimes indicate missing kconfig options, it can still
happen even if all needed kconfig options are enabled. This is because
a crypto algorithm can be a composition like "hmac(sha512)", and the
crypto API will first look for the full composition before it
instantiates it using the components like "hmac" and "sha512". But
often an implementation of the full composition doesn't exist.
However, as far as I can tell, Android doesn't actually use kernel
module autoloading at all. First, Android never changes
/proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this
isn't where modprobe is located on Android. Android's SELinux policy
contains a neverallow rule that ensures that only init (not even
vendor_init) can write to this setting, so vendors can't be changing it.
Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH,
which overrides the path of all usermode helpers including modprobe.
But this is a relatively new kconfig option, available only in
android-4.14 and later. Also, for a vendor to actually do this they'd
also need to extend the SELinux policy with a domain_auto_trans rule to
allow their usermode helper to be executed by the kernel.
Android does increasingly use kernel modules, and GKI (Generic Kernel
Image) will require them. However, the modules are actually inserted by
userspace by 'init', not autoloaded.
It's possible to disable kernel module autoloading completely by setting
/proc/sys/kernel/modprobe to an empty string. So, let's do that.
This prevents lots of spurious SELinux denials, and allows removing
unnecessary rules to allow or dontaudit the module_request permission.
Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this
change exposes a kernel bug that causes a WARNING in get_fs_type(). To
avoid this WARNING, a kernel fix should be applied too -- currently
under discussion upstream
(https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org).
Bug: 130424539
Bug: 132409186
Bug: 144399145
Bug: 146477240
Bug: 148005188
Bug: 149542343
Test: Tested on cuttlefish and coral:
- Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe
before this change, and the empty string after.
- Checked that if all SELinux rules for module_request are removed,
there are SELinux denials for module_request before this change
but none after.
- Ran lsmod both before and after and verified that the list is the
same, i.e. checked that this change doesn't break how Android
actually loads kernel modules.
Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
Test: Able to boot without error
Bug: 150671726
Merged-In: If366d284f4f01ebfa660e85bad57861c120ada7e
Change-Id: I9d85c00d191dcaa46c0182b5a15cd89dcdb9ea5e
(cherry picked from commit 1a5ae50943)
Apexes do not support "on" macros, so we are moving
them into the system partition
Bug: 145923087
Test: m -j
Change-Id: Ic671a51f2ec5b91f2f631bae0f509b4aa2d057b4
Merged-In: Ic84e77269f80097b675d6a1b0d206c2bae7d918d
Apexes do not support "on" macros, so we are moving
them into the system partition
Bug: 145923087
Test: m -j
Change-Id: Ic84e77269f80097b675d6a1b0d206c2bae7d918d
Adding two new public keys for R-Developer-GSI and S-Developer-GSI,
respectively.
Bug: 149805495
Test: m r-developer-gsi.avbpubkey
Test: m s-developer-gsi.avbpubkey
Change-Id: Iaa7521ef40b94f13fe3c9c61d276678f47c60b98
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason.
Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
When kernel lowmemorykiller driver is enabled lmkd detects it by
checking write access to /sys/module/lowmemorykiller/parameters/minfree
parameter. By default this file does not have write access and init
process changes that from "on boot" section of init.rc. However
"on boot" is never executed in the charger mode, therefore lmkd fails
to detect the kernel driver. Fix this by setting lowmemorykiller kernel
driver parameters before lmkd is started.
Bug: 148572711
Test: boot into charger mode with kernel lmk driver enabled
Change-Id: Ifc3ef725b95bdb5f7d801031429dc26bae014d1f
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
It is already disabled, but having an explcit value in the prop makes
some code in the system_server, easier.
Will follow up with a cl to explicitly enable it on internal master,
aosp will remain this way since it doesn't have the additional
components to run FUSE.
Test: Freshly wiped and flashed device has persist.sys.fuse set to false
Bug: 135341433
Merged-In: I1493e2806823b5751794a9a17ee248dc72b857ff
Change-Id: Ibb955a543e367aa2f4518d5c1c4d070cd084eca0
- schedtune.prefer_idle 1
- schedtune.boost 1
Test: mm
Test: configure NNAPI HAL to use nnapi-hal stune
Test: measure perf difference using MLTS benchmark
Change-Id: I5f467c6a58f2c1da40ec8276e101defc808854a3
(cherry picked from commit 1d748feaec)
Instead they will be logged from system_server. This CL just prepares
grounds for logging CL to land.
Test: adb reboot userspace
Bug: 148767783
Change-Id: Ie9482ef735344ecfb0de8a37785d314a3c0417ff
As of aosp/1224611, there is a new step in the preparation of APEXes
where init calls back into apexd after DE user data is unencrypted to
allow DE apex data to be snapshotted or restored.
aosp/1228581 introduces a new apexd.status value of "activated" that
is set once APEXes are activated but before this snapshot has occurred.
init may execute "perform_apex_config" once this has occurred, so this
CL changes init to wait for "activated" rather than "ready" before
doing this.
Bug: 148672144
Test: build & flash, check boot completes and check in logs that init
waits on the correct status value.
Change-Id: I339580bf593d3b09a5dff749ac2a5d1952bcb210
snapshotctl merge --logcat --log-to-file
- If --logcat, log to logcat
- If --log-to-file, log to /data/misc/snapshotctl_log/
- If both, log to both
- If none, log to stdout
Test: manually test these 4 cases
Bug: 148818798
Change-Id: I44b52936c0d095867acc6ee781c6bec04f6ebd6b
Mount binderfs at /dev/binderfs. Also add symlinks from /dev/binder,
/dev/hwbinder and /dev/vndbinder to /dev/binderfs/binder,
/dev/binderfs/hwbinder and /dev/binderfs/vndbinder respectively.
The symlink commands will fail harmlessly on a kernel
which does not support binderfs since /dev/{binder,hwbinder,vndbinder}
devices will exist on the same.
Bug: 136497735
Bug: 148696163
Test: Cuttlefish boots on Android Common Kernel 4.19 with kernel config
CONFIG_ANDROID_BINDERFS=y.
Change-Id: I8e04340dc4622b0a3c1fc4aa6bbefcb24eefe00b
This calls into apexd to allow it to snapshot and restore DE apex data
in the case of a rollback. See the corresponding apexd change for more
information.
Cherry-pick from (unsubmitted) internal CL: ag/10163227
Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Change-Id: Ia4bacc9b7b7a77038ba897acbc7db29e177a6433
Use chattr to apply +F to /data/media
This will fail on devices who do not support casefolding on userdata.
Bug: 138322712
Test: /data/media is set to +F.
Change-Id: Ib341c23a0992ee97b23113b3a72f33a61e583b04
This reverts commit 8e50be74ae.
Reason for revert: Several devices did not boot
Test: Local build with this reverted had the device boot
Bug: 148689473
Merged-In: I97e96bd86d02a9fe70c5ef02df85c604b0cfb3c3
Change-Id: Ic4a2990e7c0cb08c374a336422c08d9aad28049d
Only the FUSE daemon (with media_rw gid) needs access to paths on
/mnt/pass_through. And even then, it only needs execute access on the
dirs, since there will always be a bind mount either from sdcardfs or
the lower filesystem on it and that bind mount correctly handles ACLs
for the FUSE daemon.
Test: manual
Bug: 135341433
Change-Id: I999451e095da355e6247e9e18fb6fe1ab8fc45d6
This is the expected location on Linux and this makes 'ip tuntap' work.
Before:
vsoc_x86_64:/ # ip tuntap add dev tun0 mode tun
open: No such file or directory
vsoc_x86_64:/ # ip tuntap add dev tap0 mode tap
open: No such file or directory
vsoc_x86_64:/ # ip tuntap list
After:
vsoc_x86_64:/ # ip tuntap add dev tun0 mode tun
vsoc_x86_64:/ # ip tuntap add dev tap0 mode tap
vsoc_x86_64:/ # ip tuntap list
tap0: tap UNKNOWN_FLAGS:800
tun0: tun UNKNOWN_FLAGS:800
$ adbz shell ls -ldZ / /dev /dev/tun /dev/net /dev/net/tun
drwxr-xr-x 25 root root u:object_r:rootfs:s0 4096 2020-01-25 09:48 /
drwxr-xr-x 21 root root u:object_r:device:s0 1240 2020-01-25 09:48 /dev
drwxr-xr-x 2 root root u:object_r:device:s0 60 2020-01-25 09:48 /dev/net
lrwxrwxrwx 1 root root u:object_r:device:s0 6 2020-01-25 09:48 /dev/net/tun -> ../tun
crw-rw---- 1 system vpn u:object_r:tun_device:s0 10, 200 2020-01-25 09:48 /dev/tun
Test: see above
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2aa215711454ce4f8a0ef1f34c17621629060fa1
Mount binderfs at /dev/binderfs. Also add symlinks from /dev/binder,
/dev/hwbinder and /dev/vndbinder to /dev/binderfs/binder,
/dev/binderfs/hwbinder and /dev/binderfs/vndbinder respectively.
Bug: 136497735
Test: Cuttlefish boots on Android Common Kernel 4.19 with kernel config
CONFIG_ANDROID_BINDERFS=y.
Change-Id: I349face22a2e73bfd79af0188e41188c323388f7
In Android kernels >4.4 we will see an empty /sys/kernel/tracing
directory which is notionally where you should mount tracefs if you
don't want to mount debugfs. As we move towards not mounting debugfs,
ensure that the non-legacy location also has adequate permissions to be
read by tracing tools.
Note that this change will be OK even if the board init.rc doesn't mount
tracefs here, because sysfs will always create this directory.
Bug: 148436518
Change-Id: I674587d0f08effdb8471a82e3b1ceec3af8588de
Also reset some more properties to make bootanimation work properly.
Test: adb reboot userspace
Bug: 148172262
Change-Id: I0154d4fe9377c019150f5b1a709c406925db584d
To allow apps with MANAGE_EXTERNAL_STORAGE permission and therefore
external_storage gid to access unreliable volumes directly on
/mnt/media_rw/<volume>, they need access to the /mnt/media_rw path.
This change doesn't break the FUSE daemon, the only process that should
have media_rw gid in R because the FUSE daemon accesses the lower
filesystem from the pass_through bind mounts of the public volume mount
itself so it doesn't need to walk the /mnt/media_rw path itself
Test: With FUSE enabled, a reliably mounted public volume is accessible
on /storage
Bug: 144914977
Change-Id: Ia3fc9e7483894402c14fb520024e2acca821a24d
It previously had 0755 permission bits
With such permissive bits, an unauthorized app can access a file using
the /mnt/pass_through path for instance even if access via /storage
would have been restricted.
It is now 0700
TODO: Change ACL for /mnt/user from 0755 to 0700 in vold only when
FUSE flag is on. Changing it with FUSE off breaks accessing /sdcard
because /sdcard is eventually a symlink to /mnt/user/0/primary
Test: adb shell ls -d /mnt/pass_through
Bug: 135341433
Change-Id: I3ea9655c6b8c6b4f847b34a2d3b96784a8f4a160
Yifan Hong